No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring ARP Bidirectional Isolation and ARP VLAN CAR

Example for Configuring ARP Bidirectional Isolation and ARP VLAN CAR

This section provides an example for configuring ARP bidirectional isolation and ARP VLAN CAR. A configuration networking diagram is provided to help you understand the configuration procedure. The example provides the networking requirements, configuration roadmap, configuration procedure, and configuration files.

Networking Requirements

ARP is an open protocol and sets up IP-address-to-MAC-address mappings. When being used on an Ethernet network, ARP offers possibilities for malicious attackers because of its simplicity, openness, and lack of security measures. Attackers forge and send excessive ARP request and response packets to the router. The ARP buffer of the router has a limited storage capability, so that it will be incapable of caching legitimate ARP packets after being overflowed. ARP security enables the router to process ARP request and reply packets separately, so that the router can rapidly respond to ARP request packets. In addition, ARP security allows you to set a rate limit for ARP packets, so that excessive ARP packets will be discarded when the preset rate limit is reached.

As shown in Figure 3-4, only the user-side interface is connected to the Layer 2 devices. Therefore, configure ARP bidirectional isolation and ARP VLAN CAR on the user-side interface GE 0/1/0.

Figure 3-4 Network diagram of configuring ARP security
NOTE:
  • The configurations in this example are performed on Device. HUAWEI NE20E-S2 can function as Device.

  • Interface1 in this example is GE 0/1/0.


Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable ARP bidirectional isolation.

  2. Configure the rate limit of packets to be sent to the CPU.

Data Preparation

To complete the configuration, you need the following data:

  • Rate limit of ARP packets to be sent to the CPU

Procedure

  1. Configure VLANs on the router. The configuration details are not provided here.
  2. Enable ARP bidirectional isolation.

    <HUAWEI> system-view
    [~HUAWEI] sysname Device
    [*HUAWEI] commit
    [~Device] interface gigabitethernet 0/1/0
    [~Device-GigabitEthernet0/1/0] arp-safeguard enable
    [*Device-GigabitEthernet0/1/0] commit

  3. Configure the rate limit of ARP packets on GE 0/1/0.

    [~Device-GigabitEthernet0/1/0] arp rate-limit 50
    [*Device-GigabitEthernet0/1/0] commit
    [~Device-GigabitEthernet0/1/0] quit

  4. Verify the configuration.

    Check ARP bidirectional isolation statistics on the interface board in slot 1.

    <Device> display arp-safeguard statistics slot 1
    ArpRequest-Count : 23
    ArpReply-Count   : 23
    ArpToCp-Count    : 23
    ArpDrop-Count    : 23

    Check the rate limit of ARP packets on GE 0/1/0.

    <Device> display arp rate-limit interface gigabitethernet 0/1/0
     Interface: GigabitEthernet0/1/0
         arp rate-limit: 50 

Configuration Files

#
 sysname Device
#
vlan 100
vlan 200
#
interface GigabitEthernet0/1/0
 undo shutdown
 portswitch
 port trunk allow-pass vlan 100 200
 arp safe-guard enable
 arp rate-limit 50
#
return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20092

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next